Access denied to mount iso

JP-MB commented 1 year ago

Problem description

I face issue Acces Denied when launch Start-Dsc

Have u got any idea about this deny ? Try with my authorised credentail , but same issue . Try to give computer authorize on DVD, but impossible

Verbose logs

PS C:\Users\a-xxxxxx\Documents\DSC\SQLInstall> Start-DscConfiguration -Path "C:\Users\a-xxxxxx\Documents\DSC\SQLINSTALL"  -verbose  -wait  -force
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'names
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer NLVCP1842D with user sid S-1-5-21-2082413636-168370749-3624124516-756047.
VERBOSE: [NLVCP1842D]: LCM:  [ Start  Set      ]
VERBOSE: [NLVCP1842D]: LCM:  [ Start  Resource ]  [[MountImage]SQL2019]
VERBOSE: [NLVCP1842D]: LCM:  [ Start  Test     ]  [[MountImage]SQL2019]
VERBOSE: [NLVCP1842D]:                            [[MountImage]SQL2019] Test-TargetResource: Testing Mounted Drive for image file 'S'.
VERBOSE: [NLVCP1842D]:                            [[MountImage]SQL2019] Get-TargetResource: Getting Mounted Drive for image file '\\D1.cougar.ms.lvmh\DfsLvm\Apps\Soft
2019\Ent_Core_2019_64Bit_English'.
Access is denied.
    + CategoryInfo          : PermissionDenied: (MSFT_DiskImage:) [], CimException
    + FullyQualifiedErrorId : HRESULT 0x80070005,Get-DiskImage
    + PSComputerName        : localhost

VERBOSE: [NLVCP1842D]:                            [[MountImage]SQL2019] Test-TargetResource: The image file '\\D1.cougar.ms.lvmh\DfsLvm\Apps\Soft_Nt\_soft\Microsoft\S
2019\Ent_Core_2019_64Bit_English' is not mounted to drive 'S' but should be. Change required.
VERBOSE: [NLVCP1842D]: LCM:  [ End    Test     ]  [[MountImage]SQL2019]  in 0.1250 seconds.
The PowerShell DSC resource '[MountImage]SQL2019' with SourceInfo 'C:\Users\a-millionje\Documents\DSC\SQLInstall.ps1::11::3::MountImage' threw one or more non-termina
logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost

VERBOSE: [NLVCP1842D]: LCM:  [ Start  Resource ]  [[WaitForVolume]WaitForSQL2019]
VERBOSE: [NLVCP1842D]: LCM:  [ Start  Test     ]  [[WaitForVolume]WaitForSQL2019]
VERBOSE: [NLVCP1842D]:                            [[WaitForVolume]WaitForSQL2019] Test-TargetResource: Checking for volume 'S'.
VERBOSE: [NLVCP1842D]:                            [[WaitForVolume]WaitForSQL2019] Test-TargetResource: Volume 'S' not found.
VERBOSE: [NLVCP1842D]: LCM:  [ End    Test     ]  [[WaitForVolume]WaitForSQL2019]  in 0.1410 seconds.
VERBOSE: [NLVCP1842D]: LCM:  [ Start  Set      ]  [[WaitForVolume]WaitForSQL2019]
VERBOSE: [NLVCP1842D]:                            [[WaitForVolume]WaitForSQL2019] Set-TargetResource: Checking for volume 'S'.
VERBOSE: [NLVCP1842D]:                            [[WaitForVolume]WaitForSQL2019] Set-TargetResource: Volume 'S' not found, retrying in 5 seconds.
VERBOSE: [NLVCP1842D]:                            [[WaitForVolume]WaitForSQL2019] Set-TargetResource: Volume 'S' not found, retrying in 5 seconds.
VERBOSE: [NLVCP1842D]:                            [[WaitForVolume]WaitForSQL2019] Set-TargetResource: Volume 'S' not found, retrying in 5 seconds.

DSC configuration

Configuration SQLInstall
{   
        Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
    Import-DSCResource -ModuleName StorageDsc #For ISO-mounting
    Import-DscResource -ModuleName sqlserverdsc

     Node localhost
     {
        $Drive='\\D1.cougar.ms.lvmh\DfsLvm\Apps\Soft_Nt\_soft\Microsoft\SQL_server\SQL Server 2019\Ent_Core_2019_64Bit_English'
     MountImage SQL2019
        {
            ImagePath   = $Drive
            DriveLetter = 'S'
            #Ensure = 'Present'
        Access = 'ReadOnly'
        }

        WaitForVolume WaitForSQL2019
        {
            DriveLetter      = 'S'
            RetryIntervalSec = 5
            RetryCount       = 10
         }

    WindowsFeature 'NetFramework45'
          {
               Name   = 'NET-Framework-45-Core'
               Ensure = 'Present'
          }

          SqlSetup 'InstallDefaultInstance'
          {
               InstanceName        = 'TEST'
               Features            = 'SQLENGINE'
               SourcePath          = 'S:\'
               SQLSysAdminAccounts = @('a-xxxxxx','a-xxxxxxx')
               DependsOn           = '[WindowsFeature]NetFramework45'
          }

    }
}
SQLInstall

Operating system the target node is running

WS 2016

PowerShell version and build the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.14393.5582
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.5582
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

StorageDsc version

PS C:\Users\a-millionje\Documents\DSC\SQLInstall> Get-Module -Name 'StorageDsc' -ListAvailable | ft Name,Version,Path

Name       Version Path
----       ------- ----
storagedsc 5.1.0   C:\Program Files\WindowsPowerShell\Modules\storagedsc\storagedsc.psd1

johlju commented 1 year ago

Use the built-in parameter PSDscRunAsCredential to the credentials that have permission to read the path: https://learn.microsoft.com/en-us/powershell/dsc/configurations/runasuser?view=dsc-1.1

JP-MB commented 1 year ago

thks a lot for your reply, but how to code under MountImage . it doesn't seem to be an available parameter

JP-MB commented 1 year ago

I try something like
Node $Node { {PsDscRunAsCredential = Get-Credential} ....

but no impact and credential required at console .

johlju commented 1 year ago

You have to change Get-Credential, that is just a simple example. Instead you pass a password as a parameter (PSCredential) to the configuration so that the password is compiled into the MOF file (the configuration run by Start-DscConfiguration). By passing this credential the resource is run as that user, that user need the correct permissions on the share (share permission and file system permission).

For testing you can pass plain text password in the compiled configuration. For production you should use certificate to encrypt the password. See DSC documentation how to encrypt credentials.

johlju commented 1 year ago

The parameter is built-in in DSC and supported by LCM.

MountImage SQL2019
        {
            ImagePath   = $Drive
            DriveLetter = 'S'
            #Ensure = 'Present'
        Access = 'ReadOnly'
            PSDscRunAsCredential =    $MyCredential
        }

JP-MB commented 1 year ago

I have PS C:\Users\a-millionje\Documents\DSC\SQLInstall> $credentials

UserName Password

a-millionje System.Security.SecureString

PS C:\Users\a-millionje\Documents\DSC\SQLInstall> $configData = @{AllNodes = @(@{NodeName= 'localhost';PsDscAllowPlainTextPassword = $true} )}

PS C:\Users\a-millionje\Documents\DSC> ./SQLInstall.ps1 -MyCredential $credentials $configData

cmdlet SQLInstall at command pipeline position 1 Supply values for the following parameters: Node: NLVCP1842D

Directory: C:\Users\a-millionje\Documents\DSC\SQLInstall

Mode LastWriteTime Length Name

-a---- 06/03/2023 15:28 4672 NLVCP1842D .mof

with SQLINSTALL source:

Configuration SQLInstall { param( [parameter(mandatory=$true)][string]$Node, [PSCredential]$MyCredential )

Import-DscResource –ModuleName 'PSDesiredStateConfiguration'
Import-DSCResource -ModuleName StorageDsc #For ISO-mounting
Import-DscResource -ModuleName sqlserverdsc

 Node $Node
 {
$Drive='\\D1.cougar.ms.lvmh\DfsLvm\Apps\Soft_Nt\Ent_Core_2019_64Bit_English'     
MountImage SQL2019
    {
        ImagePath   = $Drive
        DriveLetter = 'S'
        Ensure = 'Present'
        Access = 'ReadOnly'
        PsDscRunAsCredential = $MyCredential            

    }

    WaitForVolume WaitForSQL2019
    {
        DriveLetter      = 'S'
        RetryIntervalSec = 5
        RetryCount       = 10
    }

WindowsFeature 'NetFramework45'
    {
           Name   = 'NET-Framework-45-Core'
           Ensure = 'Present'
    }

      SqlSetup 'InstallDefaultInstance'
    {
           InstanceName        = 'TEST'
           Features            = 'SQLENGINE'
           SourcePath          = 'S:\'
           SQLSysAdminAccounts = @('a-xxxxxxx','a-xxxxxxx')
           DependsOn           = '[WindowsFeature]NetFramework45'
    }

}

} SQLInstall

but got issue when run config

PS C:\Users\a-millionje\Documents\DSC\SQLInstall> Start-DscConfiguration -path "." -verbose -wait

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. The WS-Management service cannot process the request. The WMI service returned an 'access denied' error.

CategoryInfo : PermissionDenied: (root/Microsoft/...gurationManager:String) [], CimException
FullyQualifiedErrorId : HRESULT 0x80338104
PSComputerName : NLVCP1842D

VERBOSE: Operation 'Invoke CimMethod' complete. VERBOSE: Time taken for configuration job to complete is 0.167 seconds

Apparently it doesn't use my credential ; no ?

johlju commented 1 year ago

Make sure the account you use in the PSDscRunAsCredential is allowed to run resources. The account need specific rights on the node. Don't remember which ones now.

johlju commented 1 year ago

The right can be found here https://learn.microsoft.com/en-us/powershell/dsc/configurations/runasuser

Then make sure to run Start-DscConfiguration as elevated user.

JP-MB commented 1 year ago

Hello thks for your support After investigating I 've change a little bit my source MOF with teh follow:

Configuration SQLInstall { param( [parameter(mandatory=$true)][string]$Node, [parameter(mandatory=$true)][PScredential] $MyCred )

Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DSCResource -ModuleName StorageDsc #For ISO-mounting
Import-DscResource -ModuleName sqlserverdsc

 Node $Node
 {
#$Drive='\\D1.cougar.ms.lvmh\DfsLvm\Apps\Soft_Nt\_soft\Microsoft\SQL_server\SQL Server 2019\Ent_Core_2019_64Bit_English'
$Drive='C:\Users\a-millionje\Documents\DSC\SW_DVD9_SQL_Svr_Enterprise_Edtn_2019Dec2019_64Bit_English_MLF_X22-22247.ISO'  
MountImage SQL2019
    {
        ImagePath   = $Drive
        DriveLetter = 'S'
        Ensure = 'Present'
        Access = 'ReadOnly'
        PsDscRunAsCredential = $MyCred  

    }

    WaitForVolume WaitForSQL2019
    {
        DriveLetter      = 'S'
        RetryIntervalSec = 5
        RetryCount       = 10
    }

WindowsFeature 'NetFramework45'
    {
           Name   = 'NET-Framework-45-Core'
           Ensure = 'Present'
    }

      SqlSetup 'InstallDefaultInstance'
    {
           InstanceName        = 'TEST'
           Features            = 'SQLENGINE'
           SourcePath          = 'S:\'
           SQLSysAdminAccounts = @('a-millionje','a-akella')
           DependsOn           = '[WindowsFeature]NetFramework45'
    }

}

$mydata= @{ AllNodes = @( @{ NodeName = "*" PSDscAllowDomainUser = $true PSDscAllowPlainTextPassword = $true } )

} }

SQLInstall

Then use following command with configurationdata to generatare MOF :

PS C:\Users\a-millionje\Documents\DSC> .\SQLInstall4.ps1 -configurationdata $mydata

But finally it doesn't want to generate it arguing security message

PS C:\Users\a-millionje\Documents\DSC> .\SQLInstall4.ps1 -configurationdata $mydata

cmdlet SQLInstall at command pipeline position 1 Supply values for the following parameters: Node: NLVCP1843D MyCred ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'PsDscRunAsCredential' OF TYPE 'MountImage': Converting and storing encrypted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 At C:\Users\a-millionje\Documents\DSC\SQLInstall4.ps1:14 char:2

MountImage At line:341 char:16
$aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue


+ CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
WARNING: It is not recommended to use domain credential for node 'NLVCP1843D'. In order to suppress the warning, you can add a property named 'PSDscAllowDomainUser' with a value of $true to
your DSC configuration data for node 'NLVCP1843D'.
Compilation errors occurred while processing configuration 'SQLInstall'. Please review the errors reported in error stream and modify your configuration code appropriately.
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:3917 char:5

throw $ErrorRecord


+ CategoryInfo          : InvalidOperation: (SQLInstall:String) [], InvalidOperationException
+ FullyQualifiedErrorId : FailToProcessConfiguration

does it really possible to do it ?

johlju commented 1 year ago

Your passing in a parameter to the script when the parameter is in the configuration.

Without really knowing want you doing, I think you probably need to do

# dot-source the script
. .\SQLInstall4.ps1

# pass the parameters to the configuration
SQLInstall -Node 'localhost' -MyCred  $credentials -ConfigurationData $mydata

JP-MB commented 1 year ago

Hello I do what I read here https://learn.microsoft.com/en-us/powershell/dsc/configurations/configdata?view=dsc-1.1

johlju commented 1 year ago

It says to use the configuration in the same file but you are passing the configuration from outside the file?

JP-MB commented 1 year ago

No I pass in the same file Configuration SQLInstall { param( [parameter(mandatory=$true)][string]$Node, [parameter(mandatory=$true)][PScredential] $MyCred )

Import-DscResource –ModuleName PSDesiredStateConfiguration
Import-DSCResource -ModuleName StorageDsc #For ISO-mounting
Import-DscResource -ModuleName sqlserverdsc

 Node $Node
 {
#$Drive='\\D1.cougar.ms.lvmh\DfsLvm\Apps\Soft_Nt\_soft\Microsoft\SQL_server\SQL Server 2019\Ent_Core_2019_64Bit_English'
$Drive='C:\Users\a-millionje\Documents\DSC\SW_DVD9_SQL_Svr_Enterprise_Edtn_2019Dec2019_64Bit_English_MLF_X22-22247.ISO'  
MountImage SQL2019
    {
        ImagePath   = $Drive
        DriveLetter = 'S'
        Ensure = 'Present'
        Access = 'ReadOnly'
        PsDscRunAsCredential = $MyCred  

    }

    WaitForVolume WaitForSQL2019
    {
        DriveLetter      = 'S'
        RetryIntervalSec = 5
        RetryCount       = 10
    }

WindowsFeature 'NetFramework45'
    {
           Name   = 'NET-Framework-45-Core'
           Ensure = 'Present'
    }

      SqlSetup 'InstallDefaultInstance'
    {
           InstanceName        = 'TEST'
           Features            = 'SQLENGINE'
           SourcePath          = 'S:\'
           SQLSysAdminAccounts = @('a-millionje','a-akella')
           DependsOn           = '[WindowsFeature]NetFramework45'
    }

}

$mydata= @{ AllNodes = @( @{ NodeName = "*" PSDscAllowDomainUser = $true PSDscAllowPlainTextPassword = $true } )

} }

SQLInstall

johlju commented 1 year ago

Change SqlInstall in the end to:

SQLInstall -Node 'localhost' -MyCred  $credentials -ConfigurationData $mydata

JP-MB commented 1 year ago

Hello same result . Compile is KO

dsccommunity / StorageDsc